Introduction to SQL Injection: Hands-On
1. Reset the Database Before Using It
2. SQL Database StructureThe database named
3. SQL SELECT QueriesSQL uses easily-understood commands like SELECT, UPDATE, and DELETE. Try the queries below to see how SELECT works.
SELECT Queries to Try
|SELECT * FROM sqlol.users||Get all fields from the table "sql.users"|
|SELECT * FROM sqlol.ssn||Get all fields from the table "sql.ssn"|
|SELECT name FROM sqlol.ssn||Get field "name" from the table "sql.ssn"|
|SELECT ssn as name FROM sqlol.ssn||Get field "ssn" from the table "sql.ssn" and change its field name to "name"|
|SELECT * FROM sqlol.ssn WHERE name='Herp Derper'||Get all fields from the table "sql.ssn" with the "name" field equal to "Herp Derper"|
|SELECT * FROM sqlol.ssn WHERE name='Fred'||Get all fields from the table "sql.ssn" with the "name" field equal to "Fred"|
|SELECT * FROM sqlol.ssn WHERE name='Fred' OR 'a'='a'||Get all fields from the table "sql.ssn" (the condition is always true)|
|SELECT username FROM sqlol.users UNION SELECT ssn AS username FROM sqlol.ssn||Combine data from two tables|
Writing to a File
|SELECT "Literal text" into outfile '/tmp/test1.htm'||Put literal text into a file (you'll need to change the filename to something that hasn't been used yet) |
Files will be visible at https://attack.samsclass.info/tmp/test1.htm
Reading From a File
|SELECT load_file('/tmp/test1.htm') FROM sqlol.users||Reads from a local file|
4. Search for UsernamesWebsites don't usually let you type in complete SQL queries, but only fields like usernames and passwords.
Attackers can sneak SQL commands in by using special characters like apostrophes.
Try the usernames below in this form to see how it works.
Performs This Query:
Usernames to Try
Find Database Names
Find Tables in sqlol Database
Find Columns within ssn Table
Dump Names and SSNs
Upload a PHP Shell
To use the shell, use a URL like this:
5. Safer Search with Input ValidationThe simplest defense is to encode special characters.
This stops many common SQL injection attacks with a single line of code.
Try the usernames above in this form:
Performs This Query:
Uses mysql_real_escape_string to Encode Special Characters
6. ChallengesUse the form in item 4 above to inject usernames that do the things below. For hints, see the "Sources" at the bottom of the page.
Challenge 1: Display names for administrators only, as shown below:
Challenge 2: Create a file on my server with your name as a filename, as shown below.
Challenge 3: Display the /etc/passwd file in a browser, as shown below:
Challenge 4: Put your name into this file:
Posted on or around 1-13-16 by Sam Bowne
Last modified 1-14-16 6:51 pm
Error in challenge 5 instructions fixed 1-14-16 9:34 pm ty @Ciccio_87XX
Challenge 6 added 1-15-16 1 pm ty @bcrook88
Winners page moved to enforce SUID security 1-17-16 4:28 pm
Link to Useful SQL Injections added 4-1-16
Description of challenge 1 fixed 4-12-16
PHP shell added & last WINNERS URL fixed 6-27-16
Output to /tmp explaines 2-3-18
Challenges 5 and 6 removed 2-7-18
PHP shell instructions added 2-7-18
Input and output to a file expanded 2-14-18
"ssl" corrected to "ssn" and Chal 4 Updated 2-20-18